Access control for data brought into Zeppelin depends on the underlying data source:

To configure access control for Spark data, Zeppelin must be running as an end user
("identity propagation"). Zeppelin implements access control using Livy. When identity
propagation is enabled via Livy, data access is controlled by the type of data source
being accessed. For example, when you access HDFS data, access is controlled by HDFS
permissions.